US11063981B2ActiveUtilityA1

Gateway, client device and methods for facilitating secure communication between a client device and an application server using redirect

71
Assignee: ERICSSON TELEFON AB L MPriority: Sep 11, 2015Filed: Sep 11, 2015Granted: Jul 13, 2021
Est. expirySep 11, 2035(~9.2 yrs left)· nominal 20-yr term from priority
H04L 63/0884H04L 61/4511H04W 12/04H04W 88/16H04W 4/38H04L 63/20H04W 12/0431H04W 12/06H04W 4/06H04L 61/1511
71
PatentIndex Score
2
Cited by
11
References
21
Claims

Abstract

It is provided a method performed in a gateway and comprises the steps of: receiving a first client request from the client device, the first client request comprising a first fully qualified domain name, FQDN; transmitting a gateway request to the application server; receiving an application server response from the application server, the application server response indicating a need to provide authentication; generating a second FQDN, based on the first FQDN and an identifier of the client device; generating a client specific shared key based on the second FQDN and a shared key; generating a redirect message comprising the second FQDN, an authentication request, a context identifier and the client specific shared key; transmitting the redirect message to the client device; receiving a second client request from the client device; and generating an authentication response in case the second client request fails to comprise an authentication response.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method for facilitating secure communication between a client device and an application server, the method being performed in a gateway and comprising the steps of:
 receiving a first client request from the client device, the first client request comprising a first fully qualified domain name (FQDN) for the application server; 
 transmitting a gateway request to the application server, wherein the gateway request is based on the first client request; 
 receiving an application server response from the application server, the application server response indicating a need to provide authentication; 
 generating a second FQDN, based on the first FQDN and an identifier of the client device; 
 generating a client specific shared key based on the second FQDN and a shared key which is not specific to the client device; 
 generating a redirect message comprising the second FQDN, an authentication request, a context identifier and the client specific shared key; 
 transmitting the redirect message to the client device; 
 receiving a second client request from the client device; and 
 generating an authentication response in case the second client request fails to comprise an authentication response. 
 
     
     
       2. The method of  claim 1 , wherein the step of generating the second FQDN is performed prior to the transmitting the gateway request; and wherein the gateway request comprises the second FQDN and the redirect message comprises the second FQDN as a redirecting destination. 
     
     
       3. The method of  claim 1 , wherein the redirect message comprises the second FQDN as a separate parameter. 
     
     
       4. The method of  claim 1 , wherein the step of transmitting the gateway request is a hypertext transfer protocol, HTTP, request having a get method, regardless of the method of the first client request. 
     
     
       5. The method of  claim 1 , further comprising the step of:
 establishing, using the context identifier and the client specific shared key, a secure session between the gateway and the application server, for communication between the client device and the application server when the second client request fails to comprise an authentication response. 
 
     
     
       6. The method of  claim 1 , wherein the step of generating the client specific shared key comprises the use of a generic bootstrapping architecture, GBA. 
     
     
       7. A gateway for facilitating secure communication between a client device and an application server, the gateway comprising:
 a processor; and 
 a memory storing instructions that, when executed by the processor, cause the gateway to: 
 receive a first client request from the client device, the first client request comprising a first fully qualified domain name (FQDN) for the application server; 
 transmit a gateway request to the application server, wherein the gateway request is based on the first client request; 
 generate a second FQDN, based on the first FQDN and an identifier of the client device; 
 generate a client specific shared key based on the second FQDN and a shared key which is not specific to the client device; 
 generate a redirect message comprising the second FQDN an authentication request, a context identifier and the client specific shared key; 
 transmit the redirect message to the client device; and 
 generate an authentication response in case a second client request transmitted by the client device fails to comprise an authentication response. 
 
     
     
       8. The gateway of  claim 7 , wherein the instructions to generate the second FQDN are performed prior to the instructions to transmit the gateway request; and wherein the gateway request comprises the second FQDN and the redirect message comprises the second FQDN as a redirecting destination. 
     
     
       9. The gateway of  claim 7 , wherein the redirect message comprises the second FQDN as a separate parameter. 
     
     
       10. The gateway of  claim 7 , wherein the instructions to transmit the gateway request further comprise instructions that, when executed by the processor, cause the gateway to transmit the gateway request being a hypertext transfer protocol, HTTP, request having a get method, regardless of the method of the first client request. 
     
     
       11. The gateway of  claim 7 , further comprising instructions that, when executed by the processor, cause the gateway to establish a secure session between the gateway and the application server for communication between the client device and the application server when the second client request fails to comprise an authentication response. 
     
     
       12. The gateway of  claim 7 , wherein the instructions to generate the client specific shared key comprise instructions that, when executed by the processor, cause the gateway to use a generic bootstrapping architecture, GBA. 
     
     
       13. A computer program product comprising a non-transitory computer readable medium storing a computer program for facilitating secure communication between the client device and the application server, the computer program comprising computer program code which, when run on the gateway causes the gateway to perform the method of  claim 1 . 
     
     
       14. A method for facilitating secure communication between a client device and an application server, the method being performed in the client device and comprising the steps of:
 transmitting a first client request to a gateway, the first client request comprising a first fully qualified domain name (FQDN) for the application server; 
 receiving a redirect message from the gateway, the redirect message comprising an authentication request, a context identifier, a client specific shared key and a second FQDN, wherein the second FQDN is generated based on the first FQDN and an identifier of the client device; 
 generating an authentication response based on the context identifier and the client specific shared key; and 
 transmitting a second client request to the gateway, the second client request comprising the authentication response and the second FQDN. 
 
     
     
       15. A client device for facilitating secure communication with an application server, the client device comprising:
 a processor; and 
 a memory storing instructions that, when executed by the processor, causes the client device to: 
 transmit a first client request to a gateway, the first client request comprising a first fully qualified domain name (FQDN) for the application server; 
 obtain from a received redirect message that was transmitted by the gateway an authentication request, a context identifier, a client specific shared key, and a second FQDN, wherein the second FQDN is generated based on the first FQDN and an identifier of the client device; 
 generate an authentication response based on the context identifier and the client specific shared key; and 
 transmit a second client request to the gateway, the second client request comprising the authentication response and the second FQDN. 
 
     
     
       16. A computer program product comprising a non-transitory computer readable medium storing a computer program for facilitating secure communication between the client device and the application server, the computer program comprising computer program code which, when run on the client device causes the client device to perform the method of  claim 14 . 
     
     
       17. The method of  claim 1 , wherein the second FQDN contains the first FQDN and the identifier of the client device. 
     
     
       18. The method of  claim 14 , wherein the second FQDN contains the first FQDN and the identifier of the client device. 
     
     
       19. The method of  claim 1 , the method further comprising the gateway obtaining the context identifier from an authentication server. 
     
     
       20. The method of  claim 1 , the method comprising:
 the gateway determining whether the second client request comprises an authentication response; and 
 as a result of determining that the second client request lacks an authentication response, modifying the second client request to include an authentication response and sending the modified second client request toward the application server. 
 
     
     
       21. The gateway of  claim 7 , wherein the instructions further cause the gateway to:
 determine whether the second client request comprises an authentication response; and 
 as a result of determining that the second client request comprises an authentication response, forward the second client request toward the application server.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.